Australian Government Information Security Manual. ISM... · One of the core elements of detecting and investigating cyber security incidents is the availability of appropriate data

1

Guidelines for Cyber Security Incidents

Detecting cyber security incidents

Cyber security events

A cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.

Cyber security incidents

A cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that have a significant probability of compromising business operations.

Cyber resilience

Cyber resilience is the ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents.

Detecting cyber security incidents

One of the core elements of detecting and investigating cyber security incidents is the availability of appropriate data sources. Fortunately, many data sources can be extracted from existing systems without requiring specialised capabilities.

The following table describes some of the data sources that organisations can use for detecting and investigating cyber security incidents.

Data Source Description

Domain Name System logs Can assist in identifying attempts to resolve malicious domains or Internet Protocol (IP) addresses which can indicate an exploitation attempt or successful compromise.

Email server logs Can assist in identifying users targeted with spear-phishing emails. Can also assist in identifying the initial vector of a compromise.

Australian Government Information Security Manual DECEMBER 2019

2

Operating system event logs Can assist in tracking process execution, file/registry/network activity, authentication events, operating system created security alerts and other activity.

Virtual Private Network and remote access logs Can assist in identifying unusual source addresses, times of access and logon/logoff times associated with malicious activity.

Web proxy logs Can assist in identifying Hypertext Transfer Protocol-based vectors and malware communication traffic.

In addition, logs created by various security tools and appliances such as antivirus software, content filters and host-based or network-based intrusion detection or intrusion prevention systems can be captured and correlated alongside other data sources.

Intrusion detection and prevention policy

Establishing an intrusion detection and prevention policy can increase the likelihood of detecting, and subsequently preventing, malicious activity on networks and systems. In doing so, an intrusion detection and prevention policy will likely cover the following:

methods of network-based intrusion detection and prevention used

methods of host-based intrusion detection and prevention used

guidelines for reporting and responding to detected intrusions

resources assigned to intrusion detection and prevention activities.

Security Control: 0576; Revision: 7; Updated: Aug-19; Applicability: O, P, S, TS An intrusion detection and prevention policy is developed and implemented.

Access to sufficient data sources and tools

Many potential cyber security incidents are noticed by personnel rather than software tools. As such, successful detection of cyber security incidents is often based around trained cyber security personnel with access to sufficient data sources complemented by tools supporting both manual and automated analysis.

Security Control: 0120; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS Cyber security personnel have access to sufficient data sources and tools to ensure that any security alerts generated by systems are investigated and that systems and data sources are able to be searched for key indicators of compromise including but not limited to IP addresses, domains and file hashes.

Further information

Further information on detecting cyber security incidents can be found in the event logging and auditing section of the Guidelines for System Monitoring.

3

Managing cyber security incidents

Cyber security incident register

The purpose of recording cyber security incidents in a register is to highlight their type and frequency so that corrective action can be taken. This information, along with information on the costs of any remediation activities, can also be used as an input to risk assessments and vulnerability management activities.

Security Control: 0125; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS A cyber security incident register is maintained with the following information:

the date the cyber security incident occurred

the date the cyber security incident was discovered

a description of the cyber security incident

any actions taken in response to the cyber security incident

to whom the cyber security incident was reported.

Handling and containing data spills

When a data spill occurs, organisations should inform information owners and restrict access to the information. In doing so, affected systems can be powered off, have their network connectivity removed or have additional access controls applied to the information. It should be noted though that powering off systems could destroy information that would be useful for forensic investigations. Furthermore, users should be made aware of appropriate actions to take in the event of a data spill such as not deleting, copying, printing or emailing the information.

Security Control: 0133; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS When a data spill occurs, information owners are advised and access to the information is restricted.

Handling and containing malicious code infections

Taking immediate remediation steps after the discovery of malicious code can minimise the time and cost spent eradicating and recovering from the infection. As a priority, all infected systems and media should be isolated to prevent the infection from spreading further. Once isolated, infected systems and media can be scanned by antivirus software to potentially remove the infection. It is important to note though, a complete system restoration from a known good backup or rebuild may be the only reliable way to ensure that malicious code can be truly eradicated.

Security Control: 0917; Revision: 7; Updated: Oct-19; Applicability: O, P, S, TS When malicious code is detected, the following steps are taken to handle the infection:

the infected systems are isolated

all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary

antivirus software is used to remove the infection from infected systems and media

if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt.

Allowing targeted cyber intrusions to continue

When a targeted cyber intrusion is detected, organisations may wish to allow the intrusion to continue for a short period of time in order to understand its extent. Organisations allowing a targeted cyber intrusion to continue on a system should establish with their legal advisors whether the actions are breaching the Telecommunications (Interception and Access) Act 1979.

4

Security Control: 0137; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence.

Post-incident analysis

Post-incident analysis after a targeted cyber intrusion can assist in determining whether an adversary has been removed from a system. This can be achieved, in part, by conducting a full network traffic capture for at least seven days. Organisations should then be able to identify anomalous behaviour that may indicate whether the adversary has persisted on the system or not.

Security Control: 1213; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion.

Integrity of evidence

When gathering evidence following any form of cyber security incident, it is important that its integrity is maintained. Even though an investigation may not directly lead to a law enforcement agency prosecution, it is important that the integrity of evidence such as manual logs, automatic audit trails and intrusion detection tool outputs be protected.

If the Australian Cyber Security Centre (ACSC) is requested to assist in investigations, the ACSC requests that no actions which could affect the integrity of evidence be carried out before the ACSC becomes involved.

Security Control: 0138; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions and ensuring raw audit trails are copied onto media for archiving.

Further information

Further information on Incident Response Plans can be found in the system-specific security documentation section of the Guidelines for Security Documentation.

Further information on event logging, including retention periods, can be found in the event logging and auditing section of the Guidelines for System Monitoring.

Reporting cyber security incidents

Reporting cyber security incidents

Reporting cyber security incidents to an organisation’s Chief Information Security Officer (CISO), or one of their delegates, as soon as possible after they occur or are discovered provides senior management with the opportunity to assess damage to systems and their organisation, and to take remedial action if necessary, including seeking advice from the ACSC.

Security Control: 0123; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered.

Security Control: 0141; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS When organisations use outsourced information technology or cloud services, their service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered.

5

Reporting cyber security incidents to the ACSC

The ACSC uses the cyber security incident reports it receives as the basis for providing assistance to organisations. Cyber security incident reports are also used by the ACSC to identify trends and maintain an accurate threat environment picture. The ACSC utilises this understanding to assist in the development of new or updated cyber security advice, capabilities and techniques to better prevent and respond to evolving cyber threats. Organisations are recommended to internally coordinate their reporting of cyber security incidents to the ACSC.

Security Control: 0140; Revision: 6; Updated: May-19; Applicability: O, P, S, TS Cyber security incidents are reported to the ACSC.

Further information

Further information on reporting cyber security incidents to the ACSC is available at https://www.cyber.gov.au/report.